Meta

Month: March 2005

A tyrannical ruler of the medieval lands here once said “If you do not want me , well i do want you” when he was opposed to becoming a king , and he had his ways to enforce his saying and overcome all his opposer’s.

Well for the sake of freedom of the european union and the freedom of software let us hope that the same thing does not happen with Mr. Bill Gates too.

Because that is exactly the case nowadays , but to fully understand the situation i have to make a quick recapitulation of the facts.

With a more liberal environment , and smaller control by corporate will Europe and the countries in the European Union have always been a safe heaven and the cradle of open source software movement initiated by it’s american fathers (Richard Stallman , Eric Raymond)

One of the key facts to protect such freedom was the lack of the american software patent laws within Europe , but now that is on the verge of collapse as corporate interests in the growing European software markets have determined companies like microsoft to do everything in their power and seize the new markets.

That is especially understandable when we look at recent global markets analysis that rate america a mature market in means of software , that means it’s rate of growth is small , the concurrence is acerb and the quality standards are high

On the other hand in europe , the young market has a towering growth rate , little to no concurrence , and a callow sense for quality with few exceptions mostly in mission critical and educational organizations.

However there is good news, the European Commission said Thursday that it was not satisfiedwith Microsoft’s proposed licensing program for dozens of communications protocols , and EUdecided to fine Microsoft for anti-trust violations , furthermore EU sleuths think Microsoft sabotaged Windows

The bad news is that EU Council has approved the Software patent directive while making amockery of European ideals and all this whilst acting in collusion with Microsoft, says high-profile MEP Dr. Maria Berger in a press release , she says that the Commission adopted the position of Microsoft founder Bill Gates on the subject “without further thought”. Gates had visited the Commission and the EP in February.

So please , go back home to USA , Mr. Gates , we do not need your abject meddlings nor your frail patents here in the EU.

I was baffled but not really surprised by a relatively new discovery by Dr. David Dunning that the most likely persons to overestimate their skills in a area are the ones that do not have any skills in that area.

The logical explanation seems to be that the skills required for competence often are the same skills necessary to recognize competence.

Interesting is the fact that unlike their unskilled counterparts, the most able subjects in the study, Kruger and Dunning found, were likely to underestimate their own competence.

The researchers attributes this to the fact that, in the absence of information about how others are doing, highly competent subjects assumed that others were performing as well as they were — a phenomenon psychologists term the “false consensus effect.”

This brings in mind a book that dates back to 1969 by Dr. Laurence Johnston Peter , The Peter Principle which largely states that every person in a organization strives to reach and eventually gets promoted to their incompetence level , at which they remain from thereafter.

In my opinion Dr.’s Dunning study sheds new light on the The Peter Principle , because now we can assume that a explanation to why the person never gets put off its incompetence level is that he appears to be at his most competent level only while being utterly incompetent.

Now let us go way back to 1716 and see exactly the same thing portrayed in a old japanese writingHagakure

QUOTE:
In one’s life. there are levels in the pursuit of study. In the lowest level, a person studies but nothing comes of it, and he feels that both he and others are unskillful. At this point he is worthless. In the middle level he is still useless but is aware of his own insufficiencies and can also see the insufficiencies of others. In a higher level he has pride concerning his own ability, rejoices in praise from others, and laments the lack of ability in his fellows. This man has worth. In the highest level a man has the look of knowing nothing.

Astonishingly how the insight on the human nature from almost 300 years ago is still as valid and revealing as the modern studies.

Intrigued by these new perspectives i have started to a little survey by myself on a much smaller scale , more exactly i am asking the users that take my PHP Skill Test and the Common Knowledge Test to average their competence for that test before seeing the test results

In the above graph notice how big is the difference at the end of the chart between the many with lots of confidence and the few with lots of knowledge

In the above graph a small scale number reflects a minority while a big number a majority , the distance between the two lines reflects the proportion between knowledge and confidence , a equal amount of them is reflected where the lines entwine.

The 2000 Ig Nobel Prize was awarded to David Dunning of Cornell University and Justin Kreuger of the University of Illinois, for their report, “Unskilled and Unaware of It: How Difficulties in Recognizing One’s Own Incompetence Lead to Inflated Self-Assessments.” ( published in the Journal of Personality and Social Psychology, vol. 77, no. 6, December 1999, pp. 1121-1134 )

Xtreme Programming or XP for short are “agile” programming methodologies are the spearhead of what are known as lightweight programming methodologies , and are getting more popular every day.

They relate closely to opensource methodologies and are essentially a license to hack for the oppressed corporate developers so i can easily
understand their joy and sympathize with these methods myself.

In my opinion , the agile xp method is nothing else but a definition ,standardization and enhancement of the developing methods that are
used outside of the corporate bureaucracy monolithic methodologies , and that is buy itself a very good thing if those standards start to be used inside coporations , and is definitely something they have to thank the open source movement for.

It looks like it is going to be a bleak year for PhpBB securitywise , do not get me wrong however , i am a big fan of the software and it is the bulletin board that i will always use.

With not less than 3 major security vulnerabilities in the last 3 months and still hundreds of unpatched installations providing a rich meal for the growing number of phpbb worms , i was recently to discover that some of my phpbb installations were on the menu.

It was about one hour into 27 feb when i took a quick glance on my server logmon screen on my way to bed , and i could not feel unstartled by the chr(32)%252Echr(113)…. strings i see in some recent http requests when the error log prints some messages about writing to /tmp/ , now there is no doubt , i stop apache , kill perl and the shell bot running under it , clear /tmp and start googling.

Introducing CAN-2004-1315 and the Santy/AWS worm variant by some brazilian hackers that with it compromised my system and tried to make it just another zombie on their botnet that the kind people at SANS promtly closed down after my report

Now fast forward to today , i am now all upgraded from phpbb 2.0.5 to 2.0.12 but that does not make me less curious when i see messages about failing to allocate memory , issue i am aware of occuring when doing phpbb backups , but i am not doing any

Introducing CAN-2005-0614 , as i have not upgraded to PhpBB 2.0.13 yet now anyone can perform administrative tasks on my board
Well that by itself is not a security conpromise for my machine , BUT , introducinghttp://www.securityfocus.com/bid/7932 , so it seems that anyone having phpbb admin privileges can also runcode ( CAN-2004-1235 ) on my machine (and they did) .

Evidently i am now all patched and upgraded to 2.0.13 , one day short of my time for cleaning the box and really concerned about the security future of phpbb as at this time there is still no patch to stop a user with legitimate admin privileges from executing shell code on your system trough admin_styles.php .